I am updating from 4.6.4-10 to 4.6.5-11 on on CentOS 7. The server I am
working on is one of three in a production cluster.
The yum update failed and I get the Failed to authenticate to CA REST API
in the ipa upgrade log.
I have followed past emails that state the contents of
ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca
must match
/var/lib/ipa/ra-agent.pem
I did find that they did not match so I created an LDIF file to make the
LDAP entry match the uid=ipara,ou=people,o=ipaca
match /var/lib/ipa/ra-agent.pem but I still get the same problem.
============
BEFORE
dn: uid=ipara,ou=people,o=ipaca
description: 2;234;CN=Certificate Authority,O=MGMT.CROSSCHX.COM;CN=IPA
RA,O=MG
MT.CROSSCHX.COM
uid: ipara
sn: ipara
usertype: agentType
userstate: 1
userCertificate:: MIIDfTC...CUirreECTetw==
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
cn: ipara
snippet of ra-agent.pem
MIIDfTCCA...SLZXf2l
(root)>openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=MGMT.CROSSCHX.COM, CN=Certificate Authority
Validity
Not Before: Jan 24 16:44:17 2018 GMT
Not After : Jan 14 16:44:17 2020 GMT
Subject: O=MGMT.CROSSCHX.COM, CN=IPA RA
The serial number, issuer, and subject do not match so I created the
following LDIFs.
ipaca-1.ldif
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: userCertificate
userCertificate: MIIDfTCCA...SLZXf2l
ipaca-2.ldif
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;7;O=MGMT.CROSSCHX.COM, CN=Certificate Authority;O=
MGMT.CROSSCHX.COM, CN=IPA RA
I then applied them like this
# ldapmodify -x -D 'cn=Directory Manager' -W -f /root/ipaca-1.ldif
# ldapmodify -x -D 'cn=Directory Manager' -W -f /root/ipaca-2.ldif
AFTER
dn: uid=ipara,ou=people,o=ipaca
usercertificate: MIIDfTCCA...SLZXf2l
description: 2;7;O=MGMT.CROSSCHX.COM, CN=Certificate Authority;O=
MGMT.CROSSCHX.COM, CN=IPA RA
===========
None of the certs have expired
(root)>getcert list | grep -i expires
expires: 2020-01-25 18:20:55 UTC
expires: 2020-01-14 16:43:59 UTC
expires: 2020-01-14 16:43:59 UTC
expires: 2020-01-14 16:43:59 UTC
expires: 2038-01-24 16:43:58 UTC
expires: 2020-01-14 16:44:17 UTC
expires: 2021-12-07 15:49:57 UTC
expires: 2039-09-04 17:51:34 UTC
expires: 2020-01-25 18:17:26 UTC
expires: 2020-01-25 18:18:20 UTC
When I rerun ipa-server-upgrade manually I still get the same problem. I am
able to validate that the contents of the ra-agent.pem file and ldap entry
are the same by match content and verifying their MD5 checksum.
When I attempt an ipactl stop / ipactl start it notices that the server
needs to be upgrade and attempts the upgrade. How do I recover the server?
--
*Mike Plemmons *
Senior Infrastructure Engineer
614-427-2411
<https://oliveai.com/>
99 E. Main Street
Columbus, OH 43215
oliveai.com
Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
